Many organizations depend on large software environments for managing internal and external business data. For example, most corporations have a large databases and related applications for performing human resources functions, accounting, customer management, and so forth. These large environments often include many physical components, such as servers, as well as many software components, such as databases, client applications, backup and other administrative components, and so forth. Deployment and maintenance of large software environments consume a significant amount of time and effort spent by organizational information technology (IT) departments. One example of a large software environment is MICROSOFT™ Forefront Identity Manager (FIM) 2010 (and MICROSOFT™ Identity Lifecycle Manager (ILM) 2007 that preceded it). FIM provides an integrated and comprehensive solution for managing user identities and their associated credentials in an organization, including identity synchronization, certificate and password management, and user provisioning in a single solution that works across heterogeneous environments that allows IT departments to define and automate the processes used to manage identities from creation to retirement.
Organizations want to control what users can do to (or with) resources such as applications, file shares, printers, and SHAREPOINT™ sites which are under control of the organization, which can include ‘on premise’ resources directly managed by the organization, or resources ‘in the cloud’ which are managed by a service provider, and for which the organization has the ability to grant access to end users. Further, they want to do this in a way that is provably (i.e., via audit) consistent with their governance, risk and compliance (GRC) policies. An ‘entitlement’ is a logical expression which describes the affirmative intent of an organization, which controls a resource (or resource collection), to allow a user, or a collection of users, to take an action on that resource—such as create, read, update, delete, print, copy, upload, approve, or membership in a group, role, or set, which may have convey privileges in an application.
Organizations want to manage the lifecycle of entitlements: who is able to create entitlements to specific resources for specific users or collections of users; how long the entitlement endures before it is subject to renewal or expiration; and what happens upon the expiration of an entitlement. Additionally, they want the capability of analyzing existing and historical entitlements, in order to prove that their actual entitlements were consistent with their compliance policies; and to facilitate role mining (i.e., the collecting of similar users into roles). For example, an organization might want to model the policy, “every member of a compliance-tracked group has to request to renew their membership in that group every 6 months, and have that request approved by an owner of the group; or if not, that member shall be removed from the group.”
Today, implementing entitlement lifecycles is a largely manual process. IT professionals may use scripts and other timesaving tools, but the decision-making around when and on which users and resources to invoke the scripts is largely handled manually or through loosely connected systems (e.g., a calendar reminder). This can lead to allowing users to have access to resources for longer than intended or long after a user changes role and should no longer have access. As users change jobs within an organization or leave organizations, eliminating unnecessary access to resources as quickly as possible reduces the likelihood of unintended access to resources.